CVE-2025-32910 Overview
CVE-2025-32910 is a NULL pointer dereference vulnerability in libsoup, an HTTP client/server library widely used by GNOME applications and other Linux software. The flaw resides in the soup_auth_digest_authenticate() function, which handles HTTP Digest authentication. A malicious server can send a crafted response that triggers the dereference, causing the libsoup-based client to crash. The vulnerability is classified as [CWE-476] and affects availability without impacting confidentiality or integrity. Network-based exploitation requires user interaction, such as connecting to or fetching a resource from an attacker-controlled endpoint.
Critical Impact
A remote attacker controlling an HTTP server can crash any libsoup client that authenticates against it, causing denial of service for applications relying on the library.
Affected Products
- libsoup HTTP library (upstream)
- Red Hat Enterprise Linux distributions referencing RHSA-2025:8292
- Debian LTS releases shipping vulnerable libsoup packages
Discovery Timeline
- 2025-04-14 - CVE-2025-32910 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-32910
Vulnerability Analysis
The defect lives in soup_auth_digest_authenticate(), the routine libsoup uses to compute and apply HTTP Digest authentication credentials. When the function processes authentication state, it dereferences a pointer without first verifying that the underlying field is non-NULL. The result is a process crash inside the client application.
This is a classic [CWE-476] NULL pointer dereference. Because libsoup is embedded in many desktop and server applications, including GNOME components, browsers, and update tools, the crash propagates to whichever process loaded the library. The vulnerability impacts availability only; it does not enable code execution or data disclosure.
Exploitation requires user interaction. A user must initiate a request to a malicious or compromised server, after which the server returns crafted authentication headers that trigger the dereference during client-side processing.
Root Cause
The root cause is missing input validation inside soup_auth_digest_authenticate(). The function assumes that required Digest authentication parameters were successfully parsed and populated, but it does not check for NULL before accessing them. When a malformed or unexpected authentication challenge omits an expected field, the resulting pointer is NULL and the dereference faults.
Attack Vector
The attack vector is network-based with low complexity and no privileges required. An attacker hosts a malicious HTTP server, or tampers with traffic in a position to alter authentication responses, and entices a libsoup-based client to authenticate. When the client invokes Digest authentication, the crafted server response forces a NULL dereference and the client process terminates. See the Red Hat CVE-2025-32910 advisory and the Red Hat Bug Report #2359354 for upstream technical details.
Detection Methods for CVE-2025-32910
Indicators of Compromise
- Repeated unexpected crashes of applications linked against libsoup (for example, GNOME Online Accounts, Evolution, gnome-software, or other HTTP clients) shortly after issuing outbound HTTP requests.
- Core dumps or systemd-coredump entries referencing soup_auth_digest_authenticate in the call stack.
- Outbound HTTP connections to untrusted hosts returning Digest authentication challenges with missing or malformed parameters.
Detection Strategies
- Monitor application crash telemetry and journald logs for segmentation faults in processes that load libsoup-2.4.so or libsoup-3.0.so.
- Inspect network traffic for HTTP 401 Unauthorized responses containing malformed WWW-Authenticate: Digest headers directed at internal hosts.
- Correlate crash events with preceding outbound HTTP sessions to identify the triggering server.
Monitoring Recommendations
- Forward systemd-coredump and abrt events to a central logging or SIEM platform for review.
- Track installed libsoup package versions across the fleet and alert on hosts running pre-patch builds.
- Baseline normal HTTP authentication patterns and alert on unusual Digest challenges from previously unseen domains.
How to Mitigate CVE-2025-32910
Immediate Actions Required
- Apply the libsoup updates referenced in Red Hat Security Errata RHSA-2025:8292 and the Debian LTS Security Announcement.
- Restart services and desktop sessions after upgrade so updated library code is loaded by long-running processes.
- Inventory all applications that link against libsoup and prioritize patching internet-facing or user-driven clients.
Patch Information
Distribution maintainers have released fixed libsoup packages. Red Hat addresses this issue in RHSA-2025:8292, and Debian LTS ships fixed packages through its security archive. The upstream patch adds a NULL check before the affected dereference inside soup_auth_digest_authenticate().
Workarounds
- Avoid initiating HTTP requests to untrusted servers from libsoup-based applications until patches are applied.
- Restrict outbound HTTP traffic from sensitive workloads to a vetted allowlist of destinations.
- Disable or avoid HTTP Digest authentication in client configurations where the option exists, preferring stronger authentication schemes over TLS.
# Configuration example: patch libsoup on supported distributions
# Red Hat Enterprise Linux
sudo dnf update libsoup libsoup3 --refresh
# Debian / Ubuntu
sudo apt-get update
sudo apt-get install --only-upgrade libsoup2.4-1 libsoup-3.0-0
# Verify installed version
rpm -q libsoup libsoup3 # RHEL family
dpkg -l | grep libsoup # Debian family
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
